Most enterprise networks require password-based authentication of users to permit access to network resources. In many networks, a user is initially assigned a password and then permitted to change the password as desired. A user may use a password for several days or weeks before changing the password. In contrast, some networks require the use of a one-time password (OTP) for access to network resources. Typically, a one-time password is only valid for a limited time before it expires. In some cases, the time before expiration may be a matter of seconds. OTPs are useful in preventing replay attacks on network computing systems. In a replay attack, an eavesdropper obtains authentication information such as usernames and passwords of legitimate users, and uses the authentication information at a later time to gain access to network resources.
In many cases, users carry small devices that generate and display partial passwords that match partial passwords generated by a central OTP server. In particular, the devices and the OTP server generate sequences of partial one-time passwords for application by a user in successive authentication attempts. The device and the OTP server may use a secure hash function to generate a unique sequence of partial OTPs for each user.
To access a network resource protected by an OTP, a user combines a partial OTP displayed by the device with a personal identification number recognized by the OTP server. This combination constitutes an OTP. After combining the partial OTP generated by the device with the personal identification number, the user submits the resulting full OTP to the OTP server. The OTP server then validates the OTP and grants or rejects access to the protected resource.